MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gozi


Vendor detections: 17


Intelligence 17 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5
SHA3-384 hash: 26ea4570ea74d2cb18aa693fcf9cdda4a53c43db10a112d780fa21e2f5e6a85d9d03eaff390692c737b7643dfa6e8759
SHA1 hash: d912c978f83f0eed11a70eaaccc79543af5d7ccb
MD5 hash: 7f4e427936de0eecd46ce643bf5c0d36
humanhash: arizona-enemy-timing-quebec
File name:1m9SiKSPDk41YBI2wVIax0JCDD4SexGqGQ-FS3rYWtU.bin
Download: download sample
Signature Gozi
Create hunting rule
File size:1'628'936 bytes
First seen:2023-07-19 17:52:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:Lqy2xGQm4hQgFyf6eQoez4SBylteu8Kd6mNIlQtZT2/jvemgB4toFv0lk4HcWNCI:NMy8Kd6mOatZT2/jJ0wovQfHcWNCI
Threatray 273 similar samples on MalwareBazaar
TLSH T17A757B03F6578BF2E2A91B36DA9B18048365DD83731BD70B788A23D755233AB9CC6507
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter k3dg3___
Tags:878155 exe Gozi Ursnif

Intelligence

File Origin
# of uploads :
1
# of downloads :
360
Origin country :
US US
Vendor Threat Intelligence
Malware family:
ursnif
Create hunting rule
ID:
1
File name:
1m9SiKSPDk41YBI2wVIax0JCDD4SexGqGQ-FS3rYWtU.bin
Verdict:
Malicious activity
Analysis date:
2023-07-19 17:53:49 UTC
Tags:
gozi ursnif dreambot trojan stealer
Link:
https://app.any.run/tasks/5e4dbbe3-78a0-4c63-80f8-203b7ad91cd0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
UrsnifV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/425629/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.22653.24368.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade overlay packed
Link:
https://www.filescan.io/uploads/64b822fffd9e198dc1162dab/reports/90cf87ff-f37a-44a8-82c7-dccb762af0f4/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ce24c0d7-d59a-445f-bb82-1c9027c72836
Result
Threat name:
Ursnif
Create hunting rule
Detection:
malicious
Classification:
bank.troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1276178
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes memory attributes in foreign processes to executable or writable
Contains VNC / remote desktop functionality (version string found)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Found malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the export address table of user mode modules (user mode EAT hooks)
Modifies the import address table of user mode modules (user mode IAT hooks)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Dot net compiler compiles file from suspicious location
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes or reads registry keys via WMI
Writes registry values via WMI
Writes to foreign memory regions
Yara detected Ursnif
Yara detected Costura Assembly Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1276178 Sample: 1m9SiKSPDk41YBI2wVIax0JCDD4... Startdate: 19/07/2023 Architecture: WINDOWS Score: 100 115 Snort IDS alert for network traffic 2->115 117 Multi AV Scanner detection for domain / URL 2->117 119 Found malware configuration 2->119 121 13 other signatures 2->121 9 1m9SiKSPDk41YBI2wVIax0JCDD4SexGqGQ-FS3rYWtU.bin.exe 5 2->9         started        13 mshta.exe 19 2->13         started        15 mshta.exe 2->15         started        process3 file4 79 C:\...\loader_250260_878155_1724_17072023.exe, PE32 9->79 dropped 81 1m9SiKSPDk41YBI2wV...S3rYWtU.bin.exe.log, ASCII 9->81 dropped 123 Writes or reads registry keys via WMI 9->123 125 Writes registry values via WMI 9->125 127 Injects a PE file into a foreign processes 9->127 17 1m9SiKSPDk41YBI2wVIax0JCDD4SexGqGQ-FS3rYWtU.bin.exe 6 9->17         started        20 loader_250260_878155_1724_17072023.exe 1 6 9->20         started        23 1m9SiKSPDk41YBI2wVIax0JCDD4SexGqGQ-FS3rYWtU.bin.exe 9->23         started        25 powershell.exe 30 13->25         started        28 powershell.exe 15->28         started        signatures5 process6 dnsIp7 93 Allocates memory in foreign processes 17->93 95 Maps a DLL or memory area into another process 17->95 30 control.exe 17->30         started        91 185.212.47.65, 49696, 49697, 80 SERVINGADE Sweden 20->91 97 Antivirus detection for dropped file 20->97 99 Machine Learning detection for dropped file 20->99 101 Writes or reads registry keys via WMI 20->101 103 Writes registry values via WMI 20->103 33 control.exe 20->33         started        83 C:\Users\user\AppData\...\sr55hqyt.cmdline, Unicode 25->83 dropped 105 Injects code into the Windows Explorer (explorer.exe) 25->105 107 Writes to foreign memory regions 25->107 109 Modifies the context of a thread in another process (thread injection) 25->109 111 Found suspicious powershell code related to unpacking or dynamic code loading 25->111 35 explorer.exe 25->35 injected 38 csc.exe 3 25->38         started        41 csc.exe 25->41         started        43 conhost.exe 25->43         started        113 Creates a thread in another existing process (thread injection) 28->113 45 csc.exe 28->45         started        47 csc.exe 28->47         started        49 conhost.exe 28->49         started        file8 signatures9 process10 dnsIp11 129 Injects code into the Windows Explorer (explorer.exe) 30->129 131 Writes to foreign memory regions 30->131 133 Allocates memory in foreign processes 30->133 51 rundll32.exe 30->51         started        53 rundll32.exe 33->53         started        85 185.212.44.76, 49698, 80 SERVINGADE Sweden 35->85 87 94.247.42.213, 49699, 80 MEER-ASmeerfarbigGmbHCoKGDE Germany 35->87 89 107.158.128.38, 49700, 9955 EONIX-COMMUNICATIONS-ASBLOCK-62904US United States 35->89 135 System process connects to network (likely due to code injection or exploit) 35->135 137 Tries to steal Mail credentials (via file / registry access) 35->137 139 Changes memory attributes in foreign processes to executable or writable 35->139 141 5 other signatures 35->141 55 cmd.exe 35->55         started        57 RuntimeBroker.exe 35->57 injected 67 4 other processes 35->67 71 C:\Users\user\AppData\Local\...\sr55hqyt.dll, PE32 38->71 dropped 59 cvtres.exe 38->59         started        73 C:\Users\user\AppData\Local\...\dxesmoz3.dll, PE32 41->73 dropped 61 cvtres.exe 41->61         started        75 C:\Users\user\AppData\Local\...\a2iax0kn.dll, PE32 45->75 dropped 63 cvtres.exe 45->63         started        77 C:\Users\user\AppData\Local\...\lbhet4zj.dll, PE32 47->77 dropped 65 cvtres.exe 47->65         started        file12 signatures13 process14 process15 69 conhost.exe 55->69         started       
Detection:
gozi
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5/
Threat name:
Win32.Trojan.Gozi
Create hunting rule
Status:
Malicious
First seen:
2023-07-19 17:53:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
18 of 25 (72.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2zxvfcfer4he4nlaci3mcuq2y5beedb6cj5rdkqzb7cuw6wyllkq._file
Verdict:
malicious
Label(s):
gozi
Create hunting rule
Similar samples:
0423fd21a639d16d71c50b15fdf96b7e19690583b2aee6f25443329d0e8ea0eb
Gozi
06864a9cd9890f3c1aad6bdc5dfbfb799e68f5f90a99b6146ca70850d0a249a1
Gozi
7bed2fb3176716bd5f0a077cf8a670f6dbdf9d90d0091dc40a25f7c7bf4ab038
Gozi
8291f9579288153e0a1812c6c528563634c5c41b0916c606f7d8b4544ccc381a
Gozi
a8c9c3b481e9f453c9dce5939a7e8c6c220ebbadd6cb16a7d7436d55ed19d971
Gozi
d42f53c75818af4aae281a0c3f760e20643852405d69134d03f6ba5c62efe316
Gozi
d50570c1b4d064fb1f6e855d0c27ac1958a7a32c3cef5e6373094d82647f5bd4
Gozi
ea2d71af9790b0a058d0d166c52c2609a1a106053189c515b6059b5f18e9e48b
Gozi
+ 263 additional samples on MalwareBazaar
Result
Malware family:
gozi
Create hunting rule
Score:
  10/10
Tags:
family:gozi botnet:878155 banker isfb trojan
Link:
https://tria.ge/reports/230719-wgaehsah5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Gozi
Malware Config
C2 Extraction:
http://185.212.47.65
http://45.155.249.172
http://78.138.9.136
http://79.132.130.230
https://listwhfite.check3.yaho1o.com
https://lisfwhite.ch2eck.yaheoo.com
http://45.155.250.58
https://liset.che3ck.bi1ng.com
http://45.155.249.91
Unpacked files
SH256 hash:
8f104e567b1b1f0833576229edd95c3a6a2f4b640c24fba99c581991ff296710
MD5 hash:
8f13cd71e770c5c9f47977f56ebe5439
SHA1 hash:
c17572a287295e4e13064ff71ad049c15ec5a071
Detections:
ISFB_Main
Create hunting rule
win_isfb_auto
Create hunting rule
Link:
https://www.unpac.me/results/c324a780-931b-49a9-9ea5-688762f33490/
SH256 hash:
840c2b7c71c342a907a1c736752ab9d3df0a414348b406944ed2fff2f8fa0853
MD5 hash:
0eaff0efcba707c5e30380b97868aeb1
SHA1 hash:
aa792742edf0ef93044d6241148f7d1bda45e4ac
Link:
https://www.unpac.me/results/c324a780-931b-49a9-9ea5-688762f33490/
SH256 hash:
39f62e75877e7454661178e8c171d392bf229e75ef3c3e4ff0456cca40851aec
MD5 hash:
3969005fd29b3dfb0d2426acc4a56cd4
SHA1 hash:
9436d62cfa38f397ad416498e81c3bad2a2796a7
Link:
https://www.unpac.me/results/c324a780-931b-49a9-9ea5-688762f33490/
SH256 hash:
2cf02eed84cfd8d8119df82bc7416a9683542bbdc916aa0285bdf33d98cb6e22
MD5 hash:
bb7d4048e094997554399dbea6d6a87f
SHA1 hash:
561fbc267e60555807b23533178466d2ff5fea09
Link:
https://www.unpac.me/results/c324a780-931b-49a9-9ea5-688762f33490/
SH256 hash:
df26d4873660dacb4d267d8289ffaa7f8825d3a8fa14b7dd4706754bfd2c1b32
MD5 hash:
8c6c0410d15faccc4d203aa49b343741
SHA1 hash:
1654d9e9887ae5bfb64d383337752a756592d0a0
Link:
https://www.unpac.me/results/c324a780-931b-49a9-9ea5-688762f33490/
SH256 hash:
d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5
MD5 hash:
7f4e427936de0eecd46ce643bf5c0d36
SHA1 hash:
d912c978f83f0eed11a70eaaccc79543af5d7ccb
Link:
https://www.unpac.me/results/c324a780-931b-49a9-9ea5-688762f33490/
Malware family:
Ursnif
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d66f5288a48f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
ursnif3
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_isfb_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.isfb.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

239b6f4cc07cf81d6f33bd45c47af76a7283c888f87c0042c3e8689c7e657ce0

Gozi

Executable exe d66f5288a48f0e4e35601236c1521ac742420c3e127b11aa190fc54b7ad85ad5

(this sample)

  
Dropped by
SHA256 239b6f4cc07cf81d6f33bd45c47af76a7283c888f87c0042c3e8689c7e657ce0
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/425629/
  
URLhaus
https://urlhaus.abuse.ch/url/2686295/

Comments